Tag: HIPAA

PHI Breach detection in county government

The Office of Civil Rights (OCR) maintains a list of HIPAA breach investigations which currently lists over 400 open breach investigations.

One interesting breach is Adams County, Wisconsin which was leaking information undetected for over five years from 2013 and it highlights the lack of controls counties have in place for detection of security anomalies.

It’s pretty easy to determine whether or not counties have appropriate controls in place. The first question to ask is do they have a risk assessment? If your local government organization doesn’t conduct ongoing periodic risk assessments, you aren’t compliant with the HIPAA Security Rule. So, if you don’t have a risk assessment, get one so you can identify potential problems.

There are roughly 40 policy requirements for the HIPAA Security Rule and HIPAA sets a low bar in comparison to ISO/IEC 27001 and NIST CSF. If your county security policy doesn’t have these 40 policies in place, with corresponding processes and procedures you aren’t compliant with HIPAA.

We offer a low-cost 90 minute HIPAA workshop to help you assess your level of HIPAA compliance. The worst time to find out that you aren’t compliant is after a breach!

HIPAA’s not just for hospitals

Most counties and behavioral health organizations aren’t compliant with the HIPAA Security rule, but don’t take my word for it. Download the HIPAA Security Rule directly from HHS and read it over the weekend. If you want to talk about it, grab a 30-minute slot in my calendar and we’ll discuss your security policies and procedures at no charge.

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

How do you know if you have or are a CE? If some department or division within your organization is a healthcare provider, a health plan or a healthcare clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), healthcare clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that that level while also getting compliant with federal law.

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted, good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and sub components:

Administrative Safeguards (9 components)

Physical Safeguards (4 components)

Technical Safeguards (5 components)

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

Lack of compliance with the HIPAA security standards is common in county and municipal government agencies even though many of these organizations have covered entities (CE) under their umbrellas. For some reason, almost everyone got the memo on required compliance with HIPAA privacy rules in 2003, but many organizations missed the subsequent memo on required compliance with security rules by April of 2005.

Nearly 14 years have passed since the security rule was published, and I have no explanation for the compliance lacuna that exists today. If you are an executive, manager or provide IT services for a CE, your security policy should be as well-worn as your kids’ Harry Potter books.

If someone (i.e. an auditor) asks about your compliance program, you should be able to succinctly summarize it and immediately provide documentation of your compliance activities. If this doesn’t describe your organization, you are not alone and there is no time like to present to begin the process.

Compliance isn’t a one-time, passive event and there are routine steps you must take ensure the CIA (confidentiality, integrity and availability) of your clients’ protected health information (PHI).

Denial and disbelief

Denial and disbelief are the first two stumbling blocks I encounter when informing managers in government agencies that they are not in compliance with HIPAA. Sickening yellow clouds of realization dawn over a period of several weeks while I continue to email copies of the Code of Federal Regulations (CFR) to the relevant parties. The attorney is generally the first to comprehend the magnitude of the situation.

Holistic information security

I talk about security policies rather than HIPAA policies. Something that is also common in municipal government is a lack of information security policies based on some generally accepted standard or framework for information security. You can and should address HIPAA security requirements and your overarching organizational information security requirements together.

Form a governance committee

Developing your security policy isn’t an IT project; it is part of an Information Governance program. A cross-functional team including representation from several organizational entities must be part of the process for developing your information security policies. Here are the roles I generally request to be part of the policy development team:

1. Executive owner

2. Legal

3. HR

4. Information technology

5. Line of business units

6. Records management

7. Risk management, privacy and information security officer roles (Many municipal governments do not employ these functional roles, but they will once they have developed their policy).

Read the regulations!

I am a big believer in always working from primary sources. I encourage you to embark upon your HIPAA journey by reading the full text of the regulations. In the table below, I have hyperlinked them for your convenience. When I write policies for clients, I work directly from the regulation with their policy or governance committee so that everyone understands the process and the final result. Even so, clients will often argue about something that is projected on the wall right in front of them. I link every client policy to the corresponding HIPAA requirement.

Compliance Matrix

Caveat emptor

Vendors often market products as being “HIPAA compliant.” If you have read the regulations above, you now know that there is no such thing. The HIPAA security rule is technology-neutral, and any reference to compliance would be to your organization’s policy rather than to the rule itself.

Get to work!

If you are now nauseous because you realize that you are not even remotely in compliance, that’s a good thing. Use that feeling to quickly get to work to protect your organizational information assets.

Is your information secure?

Are your organization’s information assets absolutely secure? Do your staff and contractors assure you that everything is safe? How do they know? And how about all those paper files? Is confidential data appropriately labeled and stored in a secure, locked and monitored facility? How do you know? How would anyone even know if there was a breach?

The role of IT Staff

I have sat in meetings with IT Staff who have sworn up and down that the network is secure without any facts or data to support that assertion. What are your IT staff and contractors doing every day to ensure that your information is secure? And what about staff that maintain other types of physical instruments and records?

The role of vendors

I have also sat in many meetings with security vendors who have made outrageous and patently false statements, like “our product is HIPAA compliant.” (There is no such thing. The HIPAA Security Rule is a federal regulation that describes the framework for developing a security policy for certain types of information and organizations. HIPAA is purposely technology and vendor-neutral). Every security vendor wants you to believe that they are selling a magical product that will keep your organization secure from all the evils that result from being connected to the entire world through the Internet.

There are no magic products

The truth of the matter is that there are no products or services that will inherently ensure and maintain the confidentiality, integrity and availability (CIA) of your information. Information Security is about process, policy, procedure, and training rather than about installing products. A successful security program comes as a result of looking closely at both the macro view and the micro details and taking appropriate, thoughtful actions using a cycle of continuous improvement. Security products might be a part of your overall security strategy, but without sensible policies. procedures, and training the products themselves are unlikely to produce the desired, advertised result.

Do you have a Comprehensive Information Security Policy?

If you are larger than a Mom and Pop operation, you should have a Comprehensive Information Security Policy. If you are running a municipality or corporation with dozens or hundreds of employees, the lack of such a policy probably constitutes organizational malpractice or malfeasance at some level. Moreover, your policy shouldn’t be just a dusty book on the shelf – all your employees should have had training on and understand the policy.

You can wait for a catastrophic security event to wake your organization up, or you can take action now to prevent an embarrassing and costly revelation. For instance, if your organization is required to comply with HIPAA, the wake up call could come in the form of a multi-million dollar fine from HHS or civil litigation. Or you might end up paying ransom to buy back your data from data pirates. These risks are real and well documented.

How do I get started with a Security Policy?

There are many options for developing a comprehensive information security policy. You can purchase kits, buy books, hire consultants, etc. You can do it yourself, or contract it out, but the process will be largely the same either way. I will give you a 40,000 foot view and you can decide how to proceed. Other than time, the initial costs should not be high, but securing your information infrastructure will definitely have some impact on your budget, albeit less than the eventual cost of not addressing security. Even if this is a DIY project, outsourcing some aspects is probably appropriate unless you have staff members who have been extensively trained in information security domains and disciplines.

Make sure the right people are at the table!

This is NOT an Information Technology project. It is a critical enterprise business, policy and security project, so you want to make sure you have the appropriate stakeholders at the table. Establish a multi-disciplinary committee to participate in the process. Managers and Department Heads from different departments may provide illuminating perspectives and the group must also include rank and file members of your staff who actually do the work (AKA the minions). Staff members with security and military backgrounds may have much to contribute. People who may have had experience in highly regulated industries, such as Pharmaceutical, Insurance, Medical, Public and Mental Health, and Law Enforcement may also have much to contribute to the process. HR and Legal must be at the table. I am certain that your organization has untapped, expert resources, so find them and use them.

Inventory your Assets

Once your Information Security Committee is assembled, its time to get to work. The first step is going to be a Risk Assessment. Since you have already established your Information Security committee, begin the Risk Assessment process by cataloging and categorizing all your information resources. Information in this catalog may include paper files, network and computer files including backups, archival and historical records, microfilm, tax records, specifications, etc. There are payroll records, health insurance records, possibly protected medical information, HR information, meeting records, AR and AP records. All of these records may contain information protected by local, state or federal statute. There may be proprietary information related to manufacturing or other information such as videos, films, sound recordings that you may want or need to protect in some way. Use an interrogative process to identify, catalog, and categorize all this information. The output of this process should be a detailed document that clearly identifies all of these assets.

It may be appropriate to contract a qualified consultant for the Risk Assessment process. Why? Regardless of how intelligent and qualified the members of your staff are, they are probably immersed in your organizational culture. They may have biases and make assumptions because “we have always done it this way.” Outsiders may be able to see past the assumptions and biases that your staff members can’t

Once you have completed this process, you will almost certainly have found information that you didn’t even know you had. If you found sensitive information without any plan for protecting it, you might have trouble sleeping until your committee comes up with a plan.

Once you know what types of information for which you are responsible, ask yourself and the Subject Matter Experts on your committee what statutes apply. There are at least a handful of regulations that always apply, and there may be dozens of regulations dealing with information-specific data you have to consider. You probably also found information not protected by statute that needs to be addressed. Do your current policies cover all the information in your catalog? In a subsequent article, I will continue with the next steps for securing your information.

Thinking of your staff will not change overnight.

If you have a large catalog of unprotected, sensitive information, changing the thinking of your staff toward privacy and security may take a while – months or years. Also, this is a perfect time to do a Business Process Review of your information collection operations. Maybe your forms are decades old and no longer reflect current practices. For instance, do you really need to collect social security numbers from the public? If you are collecting this information, are you handing a Privacy Policy when you ask for information? Are the people providing information truly giving informed consent?

If you want to discuss Information Security in your organization, send me an e-mail at jmorgan@e-volvellc.com.